Introduction
You must do the following 3 steps to execute homebrews on PSP with OFW:
1. Find a user mode vulnerability on PSP.
2. Make a binary loader with the vulnerability.
3. Port HBL (Half-Byte Loader) with it.

mamosuke knows very well how to exploit PSP and he translated articles on wololo.net into Japanese.
But his tutorials are getting too old due to many changes.
So I wrote a new tutorial in Japanese with my knowledge about how arbitrarily I've changed valentine-hbl.
Now, I'll translate it into English.PSP is over? Yes, so I wrote a tutorial in case I forget.

Recent Changes
* Modifications for valentine-hbl
You may know there were some configuration files and they were redundant.
But I merged them into one file. Moreover, I reduced many configurations.

* Release of PSPLink Mod by 173210
This is not an advertisement, I think. I introduce it just because it is sometimes needed to port HBL.

Index
Chapter 1: Find a user mode vulnerability in PSP
Chapter 2: Make a string to exploit
Chapter 3: Make a binary loader
Chapter 4: Port HBL to the new exploit

Notice
You MUST be able to do the following things.
1. Install softwares into your PC
2. Use command line
3. Set PATH environment variable
4. Explain "directory," "crash," and "vulnerability."
5. Use cd command
6. Understand numbers with "0x."Googled? Then, ok. Follow the next instructions.
If you can understand C and MIPS, why don't you join the development of HBL?

Thanks to:
mamosuke
This tutorial is copy of was made by referring his tutorial

Advertising

Last edited by 173210 on Mon May 04, 2015 12:54 am, edited 3 times in total.

This is an article to help you recognize an exploitable vulnerability from a non exploitable (or at least, not easily enough) crash.
But, it shows more vulnerabilities than old tutorials. I think most games are vulnerable for my tutorial.

It is the first step to make PSP crash, but the crash is NOT an exploit! Releasing crashes means letting SCE patch them and make their system more secure. Today, releasing the name of an exploited game is also prohibited. We used to release exploits only with Hello World, but it just executes a arbitrary code shows the string of "Hello World." It is not practical.

Most savegame exploits use "This is spartaaaaaa" way which was used by MaTiAz with Gripshift. This is the way to find a vulnerability, which causes crashes to do that. We use player's name which is entered when player starts a game because the name will be copied into RAM absolutely and it is easy to find the place at savegame where the name located. Theoretically, the area to modify don't have to be the area where player's name is stored, but we use the area because it is just a tutorial.

I have released many exploits, but I'm not a hacker. I'm not a programmer, of course. Please note that some expressions may be inappropriate.

You have better acquire the basic knowledge of programming, especially variable, address, and array. You have better know the usage of CLI. The knowledge of MIPS assembly is not necessary, but it helps you to understand this tutorial well.

Launch Your Game with PSPLink.
PSPLink is necessary for debugging. You need a PSP installed PSPLink.
I highly recommend to use my modified version of PSPLink. It's necessary for porting in some cases.Releases · 173210/psplinkusb · GitHub
I don't write about the installation because you can find it quickly with Google. If you finished installing PSPLink, connect PSP and PC with PSPLink. If you succeed, you'll see the message, "Connected to device." (photo by mamo_suke)

The most usual way to cause stack buffer overflow with savegame is to insert a very long string somewhere in savegame. It's very easy because string is just a sequence of characters. Moreover, you can find strings very easily with PSPLink. But non-ASCII characters is a little hard to search for, so you should use ASCII characters for the strings if you can. Enter a unique string as long as you can in your game (photo by SCE).

If you finished entering the string, save your data and restart your game and load the savegme.
Now, let's see your threads loads your string to stack.
Enter the following command for pspsh to find usermode threads.

This example shows the address is 0x0AAAAAAA and the size is 0x00CCCCCC. Look up a stack for each threads.

The preparation is finished. Let's start finding a vulnerability!
At first, you should load your string to a stack somehow. Your game will copy your string when it is needed, so it may copy when you opened a window which shows your name.
If you think the string is copied, enter this command for pspsh to find your string in a stack. (Replace 0x0AAAAAAA with the address, 0x00CCCCCC with the size, STRING with your string)

TIP: If you can't find your string in stacks...
You may not be able to find your string in stacks. Your string may be overwritten by other functions. But don't worry, I have a solution: stop your thread before it overwrites your string by making your thread crash when it copies the string.
Follow the below instructions to cause crashes.

At first, you should be able to decrypt your savegame. MagicSave is a very useful tool to decrypt savegame. Google and find instructions. You'll get a decrypted savegame soon.
In the next, open your savegame with a hex editor. You can find many instructions to use hex editors with Google.
If you opened your savegame, find your string stored in your savegame with a searching function of hex editor and overwrite your string with a long string like this (photo by wololo):

sparta.jpg (235.24 KiB) Viewed 4785 times

If you finished editing, encrypt it or load the decrypted data with MagicSave.
Your game may crash with some operations. If it doesn't crash at all, make your string longer. If it says the savegame is corrupted, abandon the game.
If it crashed, try findstr command again.

Advertising

Last edited by 173210 on Mon May 04, 2015 11:55 am, edited 8 times in total.

Stack pointer has the current top address of the stack.
If function A call function B, function B will decrease stack pointer and save "return address," the address it should be back after function B has finishes, if necessary.

OMG! data B and return address got overwritten!
Then, why don't you store the address of your code as return address? Replace the last part of your string with the address. It should go to your code after function B finishes.

1. Make your thread crash
In chapter 1, you have found it copies your string to the address 0x0EEEEEEE in the stack of the thread whose UID is 0xDDDDDDDD.
We should crash the thread when the stack pointer is lower than the address of your string somehow. There are two ways.

One of them is bpth command. It can make the thread crash very easily.

2. Disassemble the code
Now, we should understand how code written at 0x08888888 works. This part needs knowledge of MIPS assembly.
Disassemble the part with this command (Replace SIZE with the number of instructions you want to see.):

3. Dump the stack
You got enough information to exploit. Let's make a string to exploit.
At first, you may need the base data (data b in the first explanation). Load savegame which don't cause crash and operate to copy the string to stack.
JUST BEFORE it copies the string, set breakpoint at the point which you found in 2 (0x08888888 in the example).

4. Modify the dumped data to make it recognized as a string and write the address to your code.
Open memdump.bin with a hex editor and replace 0x00 with 0x20. 0x00 is recognized as the end of string. And replace with the end of string with 67 45 23 01. Note that MIPS is little endian. At the last, add 0x00 to the end of file and terminate the string.
Your file will be like this:

Now, you've got a string to exploit. Insert the string to your savegame. The way is explained simply at the tip in chapter 1.
Let's try to exploit with your savegame.
If you fail, you'll see an exception like this:

This guide assumes that you found a user mode exploit in a game, and that you were able to write a binary loader.

So now what’s next? Well, as you probably know if you’ve gone that far, the PSP scene doesn’t really like Proof of Concepts. A PoC is nice, but it accomplishes nothing, it just draws Sony’s attention to your exploit, and you know the vulnerability will be patched soon, while nobody really used the exploit.

Well, the next step is, ideally, a HEN or a custom firmware. Of course, this requires a kernel exploit, and we know how these are difficult to find. A much more doable task, that will make lots of people happy, is to port HBL to your exploit. HBL opens the door to lots of legal contents on the PSP and the Vita, and we designed it so that porting it to your game exploit can be done fairly easily.

This tutorial is valid at the time of its writing, for all games, and up to firmware 6.61 (Vita firmware 3.50). In theory, HBL will work on future firmwares, but of course new kinds of security might be introduced in new firmwares. Additionally, depending on your game (and its function imports), the compatibility and speed of homebrews might vary.

0. Easy as pie
HBL was designed to be easily ported to new game exploits. Most Game-specific files (except one) go in a subfolder that I will describe below. To complete this tutorial, you need basic shell skills, a working pspsdk, a working game exploit and the associated binary loader / hello world, a ruby interpreter, and basic ruby skills (usually, if you know any other scripting language, you’ll figure it out easily, there are not so many changes required).

1. Get the HBL sources and compile them
The first step is to get the HBL sources, compile them, and if you’re motivated, test them on an existing game exploit, to make sure the copy you have works correctly.
The sources of HBL can be downloaded here (Git client required)https://code.google.com/p/valentine-hbl/source/checkout
In order to compile it, you need the PSPSDK (which you probably already have if you wrote a binary loader). Compilation is fairly easy, but in order to compile the HBL for a specific exploit, you have to specify the exploit. for example, make EXPLOIT=miku_extend will compile HBL for the miku_extend exploit.

2. Create your own exploit's configuration
It will be generated by gen_exploit_config.rb.

You need to provide 3 files: memdump.bin, uidlist.txt, and lwmtxlist.txt
- memdump.bin: a user memory dump from PSPLink
("savemem 0x08800000 0x01800000 memdump.bin")
- from the same game session as the memdump: "uidlist.txt",
which is the the output of the "uidlist" command in PSPLink
- "lwmtxlist.txt":
the output of the "lwmtxlist" command in PSPLink Mod by 173210.
You don't need it if the game doesn't have lwmutex.

Put these 3 files in tools folder in valentine-hbl and run gen_exploit_config.rb. (Replace CODENAME with that of your exploit.)

You’re almost done, but the file need to be edited in two places, that you will find because they say “TODO” in big letters.

LOADER_ADDR This is where your binary loader will load H.BIN in RAM. The value is 0x09000000 if you used my binary loader.

HBL_ROOT is the name of the folder where your exploited savedata is. That folder name looks like ms0:/PSP/SAVEDATA/UCUS12345000. Important note: my tutorial on how to create a binary loader assumes you will load a file named ms0:/h.bin. On the PS Vita, this is not possible anymore, so you will have to adapt your binary loader in order to load the exploit from ms0:/PSP/SAVEDATA/XXXXXXX/h.bin (where XXXX is the folder of your savedata). In the Vita version of HBL, all HBL files for in that folder, and there is no subfolder.

4. Compile
* run make EXPLOIT=CODENAME (alternate ways: make EXPLOIT=CODENAME DEBUG=1 to add debug messaging)
* You’re done, grab the H.BIN and HBL.PRX in the root, and the libs_… folders from the root. You now have the meat of your HBL port ready.

5. Last but not least
HBL is licensed under the GPL. If you plan to distribute your compiled binaries, it is required that you provide your source code as well. Don’t make us ask for it

This tutorial is voluntarily vague. Porting HBL is fairly easy, but we assume that if you made it that far, you probably are skilled enough to do some research on your own. Nevertheless, don’t hesitate to ask questions if you are running into problems

173210 wrote: ... I was too tired to translate this tutorial into English. It is too long.

Come on, finish up! I was looking for an updated tutorial for this but I came up with nothing. I really want to see it if it explains methods other than buffer overflows as I have yet to see a tutorial explain some alternatives.

173210 wrote: ... I was too tired to translate this tutorial into English. It is too long.

Come on, finish up! I was looking for an updated tutorial for this but I came up with nothing. I really want to see it if it explains methods other than buffer overflows as I have yet to see a tutorial explain some alternatives.

Just buffer overflows. You should learn MIPS by yourself if you want to know other methods.